• E-mail this page
• |  Print this page
• | 
• | 
• | 

Study: NYC Retailers Not Protecting Wireless Networks

Security company AirDefense recently surveyed the retail scene in all five NYC boroughs and determined that wireless security is lax just about everywhere. Fully 39% of access points in retail environments were completely unprotected, and 29% use only WEP encryption. That's your data that's not being protected. Listen up, NYC retailers: If you want my business, protect my info.

It appears that the dangers of open wireless networks haven't been adequately communicated to NYC-area retailers. The results of AirDefense's survey are nothing short of amazing:

During its monitoring, AirDefense discovered more than 1,300 Access Points. Alarmingly, 39% were unencrypted, with 29% encrypted with Wired Equivalent Privacy (WEP), the weakest protocol for wireless data encryption, which can be compromised in minutes but is in wide use today. In addition, it was found that others were utilizing Wi-Fi Protected Access (WPA) or WPA2, the two strongest encryption protocols for prevention against theft.

AirDefense conducted monitoring in some of the busiest retail locations within the five boroughs of NYC. AirDefense discovered numerous wireless vulnerabilities due to data leakage, rogue devices, mis-configured Access Points, poorly named Access Points, and outdated Access Point firmware utilized by large retail chains. Many retailers didn't simply follow basic security practices. This type of "cookie cutter" approach occurs when large retailers with multiple locations within NYC and/or nationwide use the same technology in all retail locations, so vulnerabilities will repeat themselves across the entire store chain.

AirDefense also found 35% of Service Set Identification (SSIDs) had the store name in the SSID, giving away retailers' identities. SSIDs can easily be reconfigured, but often times are not. AirDefense found an unexpected upswing in rogue devices which might be attributed to the type of locations surveyed ,as there was a broad focus on shopping areas with heavy consumer day-to-day use versus flagship tourist destinations where remote chains might have been overlooked by retailers. AirDefense also found point-of-sale devices advertising themselves over the wireless network. This, combined with the most recent operating system vulnerabilities, could lead to an easy compromise of the devices, as well as unauthorized credit card and consumer information obtained.

Additionally, some of the networks discovered were fresh out of the box, using default configurations and SSIDs, such as retail wireless, POS Wi-Fi, company name, or store#1234. This sends out a signal to someone with a desire to commit fraud that nothing has been changed on these devices and the entire wireless network.

I could possibly forgive some small, local businesses for not being up to speed on the threats of wireless technology. But the IT managers for any national chain shown to be compromising both the company's and customers' data should be scolded sternly.

I just decided to perform an unscientific study. I am working in a Starbucks today. From where I am sitting, I can see five Wi-Fi networks, including the one in Starbucks, and one around the corner in Panera. To access the Starbucks network, you have to have an account with T-Mobile. The Panera network is a public hotspot. The other three belong to national retail chains. Two of them are WPA protected. The third is free and clear.

This isn't good enough, people.

« Now Lenovo Loads Linux, Too | Main | Microsoft's Beta Download Center: Bigger, Prettier, And Slower »